Summary
The schedule field from config files is written directly to the crontab file without validating that it matches valid cron syntax. While the impact is limited (invalid schedules cause cron parse errors rather than injection), a crafted value could potentially affect crontab parsing or inject comment/newline characters.
Location
entrypoint.sh lines 161–166
SCHEDULE=$(echo "${KEY}" | jq -r '.schedule' | sed 's/\*/\\*/g')
if [ "${SCHEDULE}" == "null" ]; then
echo "'schedule' missing: '${KEY}"
continue
fi
SCHEDULE=$(parse_schedule "${SCHEDULE}" | sed 's/\\//g')Risk
- Newline injection into the crontab file could insert unauthorized cron entries
- Invalid cron syntax silently breaks job scheduling
Recommended Fix
Validate the schedule string before writing it. At minimum, strip or reject newline characters:
# Reject newlines and other dangerous characters
if echo "${SCHEDULE}" | grep -qP '[\\n\\r]'; then
echo "Error: invalid schedule value"
continue
fiFor stronger validation, check against the expected cron field pattern before writing.
Severity
Medium
Summary
The
schedulefield from config files is written directly to the crontab file without validating that it matches valid cron syntax. While the impact is limited (invalid schedules cause cron parse errors rather than injection), a crafted value could potentially affect crontab parsing or inject comment/newline characters.Location
entrypoint.shlines 161–166Risk
Recommended Fix
Validate the schedule string before writing it. At minimum, strip or reject newline characters:
For stronger validation, check against the expected cron field pattern before writing.
Severity
Medium